Teensy AVRs used in penetration testing

While some people know that you should be wary of USB drives with unknown origins, the same care is rarely, if ever exercised with USB peripherals. The security firm Netragard recently used this to their advantage when performing a penetration test at a client’s facility. When the client ruled out the use of many common attack vectors including social networks, telephones, social engineering, and unauthorized physical access from the test, the team at Netragard knew they would have to get creative.

They purchased a Logitech USB mouse and disassembled it in order to add their clever payload. A Teensy uC was programmed to emulate keyboard input, entering commands via the mouse’s USB connection once it had been connected to a computer. Using an undocumented exploit in McAfee’s antivirus suite, they were able to evade detection while their system entered commands to install malware from the flash drive they hid along side the Teensy.

Once the mouse was reassembled, they repackaged it along with some marketing materials to make it look like part of a promotional event. They purchased a detailed list of employees and singled out an easy target, sending their malicious mouse on its way. Within three days, their malware was loaded onto the victim’s computer and their test was deemed a success.

42 thoughts on “Teensy AVRs used in penetration testing”

“they repackaged it along with some marketing materials to make it look like part of a promotional event. They purchased a detailed list of employees and singled out an easy target, sending their malicious mouse on its way.”

I have a teensy, and I programmed it to run gedit and type out a python script, save it, and run it. was trivially easy to do.

The teensy can also do usb storage, so it could be programmed to “wake on USB” a computer in the middle of the night, boot off usb, and probe the network for whatever it can. The possibilities are endless with this thing.

What is the point of this? If the client rules out social engineering via phone and facebook it isn’t a real penetration test. Social engineering via email, phone social networking is the easiest way in and why wouldn’t the client what to know what their staff really were aware of. Oh and “Using an undocumented exploit in McAfee’s antivirus suite” is complete bull you can encode a metasploit payload that will get around 99% of anti virus, anti virus based on signatures is fail.

John: saw yellow electrical tape, no scotch tape. hot glue would have been better yes, but the results speak for themselves.

Bobby J: Singled out an easy target = giving it to someone who lacks the social skills (like yourself) to be suspicious of a free-be or lacks the computer skills to realize what’s going on. The fact that you assume that the test subject was female tells me a lot more about you. And I applaud your right to freedom of speech, and your right to make a complete ass of yourself if you acknowledge my right to call you out on it. grow up.

I tend to be lax about these things, having “travel sized” mice and USB hubs in my backpack… all free at tech events.

I see no reason why the mouse-keyboard emulation trick would fail under Linux. That made me pause.

However, that malware would only have rights to do things that I do as non-privleged. It could not write to /bin, unless the mouse contained a second exploit to escalate privileges.

The malware could not open port 25 to quietly send spam – although it could hijack my personal email account.

There is no such thing as perfect security, but less imperfect security has multiple checkpoints or layers like an onion. I could not IMAGINE putting all of my faith in some bolt-on application to protect you, the way an anti-virus program claims to do (I don’t even have one installed, but again: Linux). :-)

Surely you are aware that stereotypes are based on anecdotal norms, thus playing the percentages to win. When I think of a soft security target I would go after a demographic that

1. Likes free stuff, and will use it
2. Isn’t ITSec conscious

Since the female demographic displays both these traits (arguably everybody loves free stuff) it is a legitimate assumption.

Personally I would have gone with something more subtle. Say, brand the mouse with a fancy logo and send it to a management type that was responsible for Netragard’s involvement. They would surely cherish it as a token of their glorious management skills and show it off by using it.

Given how small the pool of security-conscious is… I’d hope everyone would agree that gender has absolutely no meaning in the data.

That’s why companies have policies. Or should.

Smart companies even have written policy to NOT take your company or personal phones to China, as your phone can be spoofed into loading anything as firmware. They require use of a temporary/throwaway phone, and to be mindful of your conversations.

Gender may not have a significant impact, but I am Male and did IT for several years, I would not have fallen to this hack simply because I already have the hardware I want and would not swap it out. Even for free.

That said, nearly everyone I work with would… and I would have given it to them. :(

Just goes to show that our security sucks and physical access is king. I have worked in a place where the whole PC was physically locked down and you only had a power button/keyboard/mouse/monitor as I/O.

Seriously, I thought the term “broad” went out with the 80’s. I have too much respect for women (especially my wife) to use such a degrading label.

just for grins and giggles, what do you think Limor or Jeri would do if they received a free mouse? I think they would take it it apart, I know I would if only to harvest the switches to keep my trackball working properly. you want to protect the project, put it in a wireless mouse, at least that’s a little more useful.

o.O Who takes free stuff and uses it at work, for their employer’s gain? Crazyfolk.

As ever, all this proves is that we are more vulnerable than the machine is. Short of various ways of disabling/making inaccessible the USB ports, I can’t think of a practical way to defend against this vector.

Hi, Paul here… the guy who created Teensy and wrote the Teensyduino add-on for Arduino. When I started this project, I imaged people would do things like key in stored data, control things… and indeed many have. I only hope in the end some good comes of this “pen testing” stuff.

Someday, I would imagine, all operating systems will have some dialog that pops up for you to authorize a new keyboard or mouse. Today, OS-X is the only system that does anything like that, and it’s only to choose the keyboard mapping. Not even Linux does this today, and it’ll be interesting to see if Microsoft ends up (eventually) taking the lead on this and everyone else copies, or if the others will be more proactive. But the days of just letting any new keyboard work automatically without being affirmatively authorized are numbered. It may take years, but eventually poor security practice (like autorun on removable media) just can’t go on forever.

@Paul: good point about the need to authenticate input peripherals in some way. I guess we’ll have that in some form sooner or later – but the point to make is that they aren’t there (and autorun used to be) is the near-nonexistent concern of private users about intrusions; corporate users might be much more concerned about such things, but Windows is generally written for the Average Joe (‘s mom, possibly), thus cares more about the convenience of a self-started application on plug-in then its security implications, I think.

Along the same lines – disregarding the fact that mice and such don’t require drivers – how sure are you that that same thing wouldn’t have worked with no HW modifications whatsoever, by simply including an artfully crafted “drivers mini-cd” – auto-started or not – urging the user to “install the drivers”…?

Linux being the kernel only contains the USB stack.. what your userland does is up to the userland in question. There is no reason you couldn’t do something with udev, dbus etc to authorize USB devices on connect via a popup on your favourite desktop environment.. I can see it annoying the tits off of most people though.
I’m not sure how you authorize input devices before you have authorized an input device to authorize the input device..

>taking the lead on this and everyone else copies

Blacklist all the USB ids that your boards have? Invent a new authentication protocol over USB for input devices that requires ONE MILLION US DOLLARS to license and reject input devices that aren’t licensed?

>>just letting any new keyboard work automatically

I think this is being a bit dramatic..

>>authorized are numbered.

Again, I don’t how you’re supposed to authorize anything if everything has to be authorized first. How do you authorize your mouse before you authorize your monitor, memory, processor,.. it sounds like you want an extension of Trusted Computing whereby all hardware has to authorize itself before anything can happen. I wonder who that will benefit? Not users. And the dumb shits that would attach some USB device that came in the post out of the blue.. my guess is they would click OK either way.

>>poor security practice

OSes trusting the user not to be an idiot and not attach devices they have no idea about is not “poor security practice”.. its more about making the computer a useful machine. I can lock a machine in a safe and weld the door shut.. it will be secure against this “exploit” but how the hell do I use it?

If one of the antivirus vendors wants to work around this there is no reason they couldn’t come up with some sort of USB sandbox that devices are initially attached to and monitored. And catching devices that appear out of nowhere when an input device is attached and asking the user if that is cool.. lots of devices present a composite device or mode switch though (not sure if there are any input devices that do that yet.. CDROM emulator with drivers are common though) so that could get messy…

Anyhow, the sky isn’t falling in. Businesses still using IE6 etc are a much bigger problem than this.

In regards to people talking of USB Device authorisation. HID devices could be authenticated by asking the user to type specific randomly generated stuff before the peripheral will work outside of that specific environment.

@cantido, the only way I can see a peripheral authorization system working would be having a white list of serial numbers pushed down to desktop systems. This removes the end user as a weak link because they will never get a prompt to allow/deny a peripheral.

Actually, it seems pretty simple for the USB authorization system to not accept keyboard input from a device which says it is a mouse.

Not saying implementation of above paragraph is trivial, but it is certainly logical. You would not need a list of approved USB ids (which can be spoofed anyways), or device signing/trusted device, etc.

I’m not familiar with the dark depths of the Microsoft Policy editor, or Linux AppArmor, but this might already be possible.

So all the rogue device needs to do is wait until the legit device its piggy backed on is authorized and then do it’s business. This is all stupid anyhow.. these guys were asked to try to break in from the outside, so they used social engineering which is exactly what they were asked not to do.

@willow

so you have the bogus device change its USB id to various common types of keyboard etc like the ones Dell ship with their machines until you find something that works. IIRC (I haven’t had the displeasure of admining windows systems for a few years) the security policy stuff for executables users were allowed to use worked on filenames,.. yes, filenames,.. msn.exe is not allowed? Rename it to msn1.exe, oh it works. I wouldn’t put too much faith in it to be honest.

@ScottinNH

Eh, does AppArmor even get involved here? Unless you’re using the older Xorg drivers that are closer to the hardware all the HID stuff is done in the kernel and presented to Xorg as nice input events… you could use udev rules to disallow hardware you dont want, but that doesn’t stop a rogue device spoofing common devices.

And in other news .. having people in the same room as you when you type in your passwords is really bad security policy.

The idea that the client ruled out social engineering entirely is based on the slightly misworded articles here and in The Register. To quote their own article on the hack:

“The scope included a single IP address bound to a firewall that offered no services what so ever. It also excluded the use of social attack vectors based on social networks, telephone, or email and disallowed any physical access to the campus and surrounding areas”

This isnt anything new… They ripped this off of iron geek. He conducted the same exact thing over a year ago and even gave a write up on how to do it… NetraGard, you suck. Your just copying other peoples work and reproducing it in your own name. Pathetic…

The relative merits of these approaches are debated. Black box testing simulates an attack from someone who is unfamiliar with the system. White box testing simulates what might happen during an inside job or after a leak of sensitive information, where the attacker has access to source code, network layouts, and possibly even some passwords. Thanks.
Regards,network penetration testing